Is "IoT Security" an Oxymoron?

Last night I attended a Meetup on Cyber Security with a IoT context sponsored by Kerpashky Lab. It was a great night with hosted by a female with three well credentialed females as the guest panelists. There was a interesting presentation on Cyber Security followed by a Q&A with the panel. KASPERSKY LAB CYBER SECURITY MEETUP EVENT

This rhetorical question occurred to me:

Is "IoT Security" an Oxymoron?

I am reminded of what oxymoron means from the Danny DeVito movie "Army Intelligence"(Renaissance Man) . Tongue-in-check he teaches to some army personal, "An oxymoron is when you take two words that are totally opposite and you jam them together, like Amy and Intelligence"; implying there is no intelligence in army.

The point of the oxymoron rhetoric above is that security is quite problematic with the Internet of Things (IoT). You have millions of devices out on the edge ,each with security credentials enabling them to interact with highly secure services in the cloud. If one is compromised and goes rogue then we have a problem. How can we ensure security with IoT?

The Edge

An IoT Portal (IoT Hub) may service millions of devices, providing a plethora of sensors and actuators. . These can be very low level microprocessors with little or no security. It does not make much sense for these devices to have direct access to the portal. It is better that they be aggregated behind field gateways that do directly connect to the IoT cloud service from "the edge". Apart from security, there are various reasons why this is desirable. The gateway can filter preprocess and batch the data. It can also respond directly to the data where required (e.g.. alarm conditions). Also field gateways can an do protocol translation to and from protocols that the hub uses. From a security perspective, these gateways can enforce rigorous security between the edge and the cloud.

An issue that was raised last night was privacy. There is a broad range of off-the-shelf IoT devices available for home automation. An example is IoT lighting which via a light vendor specific cloud service, provides remote control of lighting via a phone app. But what if there was logging of your usage in the cloud such that an unscrupulous individual could determine when your home was most vulnerablev. Heaven forbid if the IoT light had a camera in it! There was a recent case where an IoT sex toy was logging users use of it.?

Device Connectivity

Typically an IOT device is configured on the device and at the IoT portal (IoT Hub) for connectivity. On the device end it involves credentials and portal details. This may be stored in software on the device as a device-portal specific encrypted connection string; heaven forbid if was ever not encrypted! A more secure option is for the connectivity to stored in hardware. Windows 10 IoT Core supports TPM which some microprocessors support in firmware or can be added to a device's circuitry as a discrete chip. For development purposes there is a software simulation of TPM for the Raspberry PI with IoT-Core whereas the Qualcomm DragonBoard 410c has TPM built in, as does the Intel Minnowboard MAX

"Windows 10 IoT Core devices connected to Azure can be secured with the Trusted Platform Module, which makes them impervious to cloning and impersonation. This is essential for devices that need to be secure and trusted. Unlike in the traditional approach in which the device credentials are stored directly on the device (in the application code or a configuration file), devices equipped with TPM store device credentials in a dedicated hardware device. Once stored, the credentials cannot be read or duplicated."

"A Trusted Platform Module (TPM), is a cryptographic coprocessor including capabilities for random number generation, secure generation of cryptographic keys and limitation of their use. It also includes capabilities such as remote attestation and sealed storage."

The deviceClient is then used to send and receive data with the IoT Hub. Note no connection string nor IoT Hub details. The myDevice construct is read from hardware. Whereas the corresponding code without TPM requires a connection string, which could potentially be pirated to other devices:

IoT Site Certification

There used to be a push for eCommerece sites to be accredited, especially with respect to Credit Card transactions.. As such they could display a "trusted" log and there could be some consumer financial protection that consumers could rely oupn. For example "Google Trusted Store". A site that just took your credit card details and then manually processed your transaction is not to be considered trust worthy. A secure transaction usually involves a vetted third party credit card authority. There is though now a move to just using customer reviews for providing users with reliability information.

I would though make a lot of sense to establish a set of guidelines for IoT infrastructure against which such systems could be vetted at edge and cloud to determine their security. For example one requirement would be to use TPM or similar. Perhaps there could be a certification process.